RE: RKDetect - behaviour based rootkit detection (updated)
From: Sergey V. Gordeychik (gordey_at_itsecurity.ru)
Date: 09/09/04
- Previous message: DeGennaro, Gregory: "RE: XP-SP2 "Feature""
- Maybe in reply to: Sergey V. Gordeychik: "RKDetect - behaviour based rootkit detection (updated)"
- Next in thread: Frank Knobbe: "Re: RKDetect - behaviour based rootkit detection (updated)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 9 Sep 2004 09:27:52 +0400 To: "Frank Knobbe" <frank@knobbe.us>
>Any respectable rootkit should hide its own presence
>so that you can't locate it. How would you go about detecting it when it
>is running?
Rootkit it is not "magic thing", it simple software which hack another software and can be hacked by other software.
Hacked Defender use API hooking technique and don't hook API calls from some low-level system applications, such SCM (today, only today), which clearly demonstrated by this tool.
Other modern rootkits, like FU and PHIDE use more sophisticated technique, but they also can detected (see klister tool).
Regards,
Sergey V. Gordeychik,
MCSE since NT 4.0, MCSA, MCT.
**************************************************************************
Авторизованный курс компании Microsoft по обеспечению
безопасности корпоративной сети
"Основы сетевой безопасности" в Учебном центре "Информзащита"
http://www.itsecurity.ru/edu/kurs/ms_2810.html
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: DeGennaro, Gregory: "RE: XP-SP2 "Feature""
- Maybe in reply to: Sergey V. Gordeychik: "RKDetect - behaviour based rootkit detection (updated)"
- Next in thread: Frank Knobbe: "Re: RKDetect - behaviour based rootkit detection (updated)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
